From 5034716ea3c97a2dd94deb053be34f835464bbe0 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 27 May 2026 13:55:50 -0400 Subject: [PATCH 1/5] Document System Lockdown Mode in security features Added information about System Lockdown Mode (SLM) and its impact on language modes in PowerShell. --- .../docs-conceptual/security/security-features.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/reference/docs-conceptual/security/security-features.md b/reference/docs-conceptual/security/security-features.md index 6dcf0937ac08..74696171d57c 100644 --- a/reference/docs-conceptual/security/security-features.md +++ b/reference/docs-conceptual/security/security-features.md @@ -77,6 +77,18 @@ system for Windows. For more information about how PowerShell supports AppLocker and App Control, see [Use App Control to secure PowerShell][10]. +### System Lockdown Mode + +System Lockdown Mode (SLM) is PowerShell's abstraction of the system-wide application control +policy enforced by Windows through App Control for Business or AppLocker. When Windows reports +that an application control policy is active, PowerShell enters SLM and applies +ConstrainedLanguage mode as the default for all runspaces. + +**Without SLM, language mode does not propagate between runspaces.** Each runspace independently +queries the Windows application control policy to determine its language mode. Setting the language +mode on one runspace does not affect other runspaces. Without an active application control policy, +new runspaces default to FullLanguage mode. + ## Software Bill of Materials (SBOM) Beginning with PowerShell 7.2, all install packages contain a Software Bill of Materials (SBOM). The From 89632280594ee1faa155f59634e1f421950ffb3d Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 27 May 2026 13:59:07 -0400 Subject: [PATCH 2/5] Apply suggestion from @TravisEz13 --- reference/docs-conceptual/security/security-features.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/reference/docs-conceptual/security/security-features.md b/reference/docs-conceptual/security/security-features.md index 74696171d57c..f08c25b20f3d 100644 --- a/reference/docs-conceptual/security/security-features.md +++ b/reference/docs-conceptual/security/security-features.md @@ -86,8 +86,8 @@ ConstrainedLanguage mode as the default for all runspaces. **Without SLM, language mode does not propagate between runspaces.** Each runspace independently queries the Windows application control policy to determine its language mode. Setting the language -mode on one runspace does not affect other runspaces. Without an active application control policy, -new runspaces default to FullLanguage mode. +mode on one runspace does not affect other runspaces. **Without an active application control policy, +new runspaces default to FullLanguage mode.** ## Software Bill of Materials (SBOM) From 195691e3b23c5cc807b1748c5f1de50feb65827f Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 27 May 2026 14:02:09 -0400 Subject: [PATCH 3/5] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- reference/docs-conceptual/security/security-features.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/reference/docs-conceptual/security/security-features.md b/reference/docs-conceptual/security/security-features.md index f08c25b20f3d..dd4f8482364f 100644 --- a/reference/docs-conceptual/security/security-features.md +++ b/reference/docs-conceptual/security/security-features.md @@ -82,12 +82,12 @@ For more information about how PowerShell supports AppLocker and App Control, se System Lockdown Mode (SLM) is PowerShell's abstraction of the system-wide application control policy enforced by Windows through App Control for Business or AppLocker. When Windows reports that an application control policy is active, PowerShell enters SLM and applies -ConstrainedLanguage mode as the default for all runspaces. +`ConstrainedLanguage` mode as the default for all runspaces. **Without SLM, language mode does not propagate between runspaces.** Each runspace independently queries the Windows application control policy to determine its language mode. Setting the language mode on one runspace does not affect other runspaces. **Without an active application control policy, -new runspaces default to FullLanguage mode.** +new runspaces default to `FullLanguage` mode.** ## Software Bill of Materials (SBOM) From 215997ff739eec57b7432f60e3ca9fde0133d7b0 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 27 May 2026 18:17:38 +0000 Subject: [PATCH 4/5] Clarify System Lockdown mode wording --- .../security/security-features.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/reference/docs-conceptual/security/security-features.md b/reference/docs-conceptual/security/security-features.md index dd4f8482364f..9ce976f5e367 100644 --- a/reference/docs-conceptual/security/security-features.md +++ b/reference/docs-conceptual/security/security-features.md @@ -77,17 +77,17 @@ system for Windows. For more information about how PowerShell supports AppLocker and App Control, see [Use App Control to secure PowerShell][10]. -### System Lockdown Mode +### System Lockdown mode -System Lockdown Mode (SLM) is PowerShell's abstraction of the system-wide application control -policy enforced by Windows through App Control for Business or AppLocker. When Windows reports -that an application control policy is active, PowerShell enters SLM and applies -`ConstrainedLanguage` mode as the default for all runspaces. +System Lockdown mode is PowerShell's abstraction of the system-wide application control policy +enforced by Windows through App Control for Business or AppLocker. When an application control +policy is active, PowerShell enters System Lockdown mode. In System Lockdown mode, the application +control policy determines the language mode for each runspace. -**Without SLM, language mode does not propagate between runspaces.** Each runspace independently -queries the Windows application control policy to determine its language mode. Setting the language -mode on one runspace does not affect other runspaces. **Without an active application control policy, -new runspaces default to `FullLanguage` mode.** +**Without System Lockdown mode, language mode does not propagate between runspaces.** Each +runspace independently queries the Windows application control policy to determine its language +mode. Setting the language mode on one runspace does not affect other runspaces. **Without an +active application control policy, new runspaces default to `FullLanguage` mode.** ## Software Bill of Materials (SBOM) From 5b0971fee65d8200ee399115b6847eba412bd308 Mon Sep 17 00:00:00 2001 From: Sean Wheeler Date: Wed, 27 May 2026 15:56:20 -0500 Subject: [PATCH 5/5] Editorial review --- .../docs-conceptual/security/security-features.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/reference/docs-conceptual/security/security-features.md b/reference/docs-conceptual/security/security-features.md index 9ce976f5e367..06769569a94c 100644 --- a/reference/docs-conceptual/security/security-features.md +++ b/reference/docs-conceptual/security/security-features.md @@ -79,15 +79,16 @@ For more information about how PowerShell supports AppLocker and App Control, se ### System Lockdown mode -System Lockdown mode is PowerShell's abstraction of the system-wide application control policy +In PowerShell, System Lockdown mode is an abstraction of the system-wide application control policy enforced by Windows through App Control for Business or AppLocker. When an application control policy is active, PowerShell enters System Lockdown mode. In System Lockdown mode, the application control policy determines the language mode for each runspace. -**Without System Lockdown mode, language mode does not propagate between runspaces.** Each -runspace independently queries the Windows application control policy to determine its language -mode. Setting the language mode on one runspace does not affect other runspaces. **Without an -active application control policy, new runspaces default to `FullLanguage` mode.** +> [!IMPORTANT] +> Without System Lockdown mode, language mode doesn't propagate between runspaces. Each runspace +> independently queries the Windows application control policy to determine its language mode. +> Setting the language mode on one runspace doesn't affect other runspaces. Without an active +> application control policy, new runspaces default to `FullLanguage` mode. ## Software Bill of Materials (SBOM)